package com.security.order.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;

/**
 * @author wangning
 * @create 2021-03-27 8:46
 */
@Configuration
@EnableResourceServer//表示启动资源服务器
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

	@Autowired
	private TokenStore tokenStore;

	public static final String RESOURCE_ID = "res1";

	@Override
	public void configure(ResourceServerSecurityConfigurer resource) {
		resource.resourceId(RESOURCE_ID)//资源id
//				.tokenServices(tokenService())//验证令牌的服务
				//使用jwt进行验证
				.tokenStore(tokenStore)
				.stateless(true);
	}

	/**
	 * 资源服务令牌解析
	 *
	 * @return 令牌验证结果
	 */
	@Bean
	public ResourceServerTokenServices tokenService() {
		//使用远程服务请求授权服务器校验token，必须指定校验token的url，client_id，client_secret
		RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
		remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:53020/uaa/oauth/check_token");
		remoteTokenServices.setClientId("c1");
		remoteTokenServices.setClientSecret("secret");
		return remoteTokenServices;
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http
				.authorizeRequests()
				.antMatchers("/**").access("#oauth2.hasScope('ROLE_ADMIN')")
				.and()
				.csrf().disable()
				.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
	}


}
